...
It’s good practice to work with , at least on API Resource here. By adding the appropriate api_resource or to be more precise, a scope containing the api_resource to the client configuration in the CoreOne Admin UI. This way you can - like with any other flow as well - indicate the intention of the token. The example below is issued to a test client, and we can clearly see that this client does have access to the cos_app_api and the cos_auth_api as indicated in the scope and the aud.
...